General

  • Target

    89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe

  • Size

    1.6MB

  • Sample

    240601-ctmqtsfc72

  • MD5

    89d45d766eb2694ff45cd58044964870

  • SHA1

    d086a6a9d539e041dd96e8cb61d0404e15c68735

  • SHA256

    22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d

  • SHA512

    055eb1dbb68b5f7948f8b11a7c310f4aa9691f5668b62fd72522ac20ad58efa172aeadedc0766e709846660c2a18402175de91b0775f5ea4fe0167d9434287b0

  • SSDEEP

    24576:ECkU7ab5CK37zto/wcrbw4k3CEXjVCPnJCgwT4rSNbU/YcwpX5DWX:Ev0C8iXiLbwd3CEzVCff52NZn/DW

Malware Config

Targets

    • Target

      89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe

    • Size

      1.6MB

    • MD5

      89d45d766eb2694ff45cd58044964870

    • SHA1

      d086a6a9d539e041dd96e8cb61d0404e15c68735

    • SHA256

      22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d

    • SHA512

      055eb1dbb68b5f7948f8b11a7c310f4aa9691f5668b62fd72522ac20ad58efa172aeadedc0766e709846660c2a18402175de91b0775f5ea4fe0167d9434287b0

    • SSDEEP

      24576:ECkU7ab5CK37zto/wcrbw4k3CEXjVCPnJCgwT4rSNbU/YcwpX5DWX:Ev0C8iXiLbwd3CEzVCff52NZn/DW

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks